MS225-48FP, DHCP handed out by our firewall. Layer 2 switching only, 802.1x with RADIUS on a Windows domain controller.
Due to the limited number of ethernet ports in the wall, some areas of the office have a non-Cisco switch that passes VLAN tags and have multiple Mitel phones with people's computers tethered to Mitel.
We have 3 VLANs, let's call it:
VLAN 1 (native VLAN)
VLAN 2 (Voice VLAN)
VLAN 3 (IT Only VLAN)
With our legacy Cisco sg500-52P switch, there was an option for "Multi-Session" which allowed regular users who authenticated via 802.1x successfully to get onto VLAN 1 and for IT users who authenticated to be placed on VLAN 3. Phones are placed on tagged and placed on VLAN 2.
However, with the Meraki MS225-48FP I am unable to get this configured correctly via Access Policy. If I select an access policy with Multi-Host or Multi-Auth users get placed on whoever authenticates first. So if an IT user authenticates first, subsequent regular users get placed on the IT VLAN and vice versa. Phones are tagged correctly and placed on the correct VLAN 2.
Is there a way to configure multiple devices, multiple VLANs, multiple users authenticating 802.1x on a single port?
You can have
“After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port. Only one client is supported on the voice VLAN. Guest VLANs are not supported in this mode.“
Unfortunately, also using Multi Host won‘t work either:
“With multi-host, a single successful authentication will put the port into a forwarding state. All subsequent authentication attempts are ignored.“
So in a nutshell: guess you‘re out of luck here.
"subsequent hosts must have matching VLAN information" it means the wired 802.1x info?
Try use the radius authorization rule to assign the vlan id for the 2nd data domain device.